Am Tue, 5 Aug 2014 22:41:54 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 18:03, Dieter Klünter dieter@dkluenter.de wrote:
can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
[...]
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by
- read
This 2 rule sets are applied, objectClasses are expanded and all attribute types of this objectclassses are write allowed. the restricting attribute types are not considered, as @<objectClass> is applied and matched.
-Dieter